From patchwork Tue Oct  6 01:38:44 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Zhou <azhou@nicira.com>
X-Patchwork-Id: 526611
Return-Path: <dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (unknown
	[IPv6:2600:3c00::f03c:91ff:fe6e:bdf7])
	by ozlabs.org (Postfix) with ESMTP id BBBB3140D6A
	for <incoming@patchwork.ozlabs.org>;
	Tue,  6 Oct 2015 12:39:14 +1100 (AEDT)
Received: from archives.nicira.com (localhost [127.0.0.1])
	by archives.nicira.com (Postfix) with ESMTP id E808910904;
	Mon,  5 Oct 2015 18:38:59 -0700 (PDT)
X-Original-To: dev@openvswitch.org
Delivered-To: dev@openvswitch.org
Received: from mx1e4.cudamail.com (mx1.cudamail.com [69.90.118.67])
	by archives.nicira.com (Postfix) with ESMTPS id 87C9C108F3
	for <dev@openvswitch.org>; Mon,  5 Oct 2015 18:38:58 -0700 (PDT)
Received: from bar2.cudamail.com (unknown [192.168.21.12])
	by mx1e4.cudamail.com (Postfix) with ESMTPS id 150731E0308
	for <dev@openvswitch.org>; Mon,  5 Oct 2015 19:38:57 -0600 (MDT)
X-ASG-Debug-ID: 1444095536-03dc537fe1c483c0001-byXFYA
Received: from mx1-pf1.cudamail.com ([192.168.24.1]) by bar2.cudamail.com
	with
	ESMTP id 1nHc0Q11oVvt39Ii (version=TLSv1 cipher=DHE-RSA-AES256-SHA
	bits=256 verify=NO) for <dev@openvswitch.org>;
	Mon, 05 Oct 2015 19:38:56 -0600 (MDT)
X-Barracuda-Envelope-From: azhou@nicira.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.1
Received: from unknown (HELO mail-pa0-f54.google.com) (209.85.220.54)
	by mx1-pf1.cudamail.com with ESMTPS (RC4-SHA encrypted);
	6 Oct 2015 01:38:56 -0000
Received-SPF: unknown (mx1-pf1.cudamail.com: Multiple SPF records returned)
X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.54
Received: by padhy16 with SMTP id hy16so52869498pad.1
	for <dev@openvswitch.org>; Mon, 05 Oct 2015 18:38:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=Eh9XeOl5BHgWfS7cVM0zsPYdMKD9sePA9TcB6fR18+s=;
	b=anE3MD3VjpoYhYWOx7XO1J5oeKcDOurQ8VxcskToxP4QeBK7KZuXvHZ93fMWhE/1ZK
	0HVqEZWUR3eDOlr1XcfxQV/j+CMP0qDYs0BUOc1WE9MlTKtv/Q+iDJyYUeKMJQF29tpj
	o9EsvbbNtTOWYglFB3Xi2B4RR0ya+vGd+h8oXxFZufzE8HnbgmjRJ5G18DyDK4iw8CrA
	S1LWJ57JZ4+hFwxQl89icYmLKrKR2pBE3tYnujInShemt5hVxF9YWMFN86o/BrPxOU31
	VqHaQ0EZAeTTWcr2a/HHCF0MJbCh9LXl+M/7XVP4kMp3gUOWakeWgA9dVNlfeXZYh+eH
	J7Wg==
X-Gm-Message-State: 
 ALoCoQkL3e19ztMFR+xWIIrDYq+ofyLpdlTfSbnnXNo8snqhJKanAqwa6rgvD2fmHAu9DKbWHhZD
X-Received: by 10.68.190.5 with SMTP id gm5mr43665476pbc.25.1444095535589;
	Mon, 05 Oct 2015 18:38:55 -0700 (PDT)
Received: from ubuntu.localdomain ([208.91.1.34])
	by smtp.gmail.com with ESMTPSA id
	pq1sm29914469pbb.91.2015.10.05.18.38.54
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 05 Oct 2015 18:38:55 -0700 (PDT)
X-CudaMail-Envelope-Sender: azhou@nicira.com
X-Barracuda-Apparent-Source-IP: 208.91.1.34
From: Andy Zhou <azhou@nicira.com>
To: dev@openvswitch.org
X-CudaMail-Whitelist-To: dev@openvswitch.org
X-CudaMail-MID: CM-E1-1004107867
X-CudaMail-DTE: 100515
X-CudaMail-Originating-IP: 209.85.220.54
Date: Mon,  5 Oct 2015 18:38:44 -0700
X-ASG-Orig-Subj: [##CM-E1-1004107867##][Debian-non-root 4/4] Debian: start
	daemons as ovs(non-root) user
Message-Id: <1444095524-11357-4-git-send-email-azhou@nicira.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1444095524-11357-1-git-send-email-azhou@nicira.com>
References: <1444095524-11357-1-git-send-email-azhou@nicira.com>
X-Barracuda-Connect: UNKNOWN[192.168.24.1]
X-Barracuda-Start-Time: 1444095536
X-Barracuda-Encrypted: DHE-RSA-AES256-SHA
X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi
X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?=
X-Virus-Scanned: by bsmtpd at cudamail.com
X-Barracuda-BRTS-Status: 1
Subject: [ovs-dev] [Debian-non-root 4/4] Debian: start daemons as
	ovs(non-root) user
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: <dev.openvswitch.org>
List-Unsubscribe: <http://openvswitch.org/mailman/options/dev>,
	<mailto:dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://openvswitch.org/pipermail/dev>
List-Post: <mailto:dev@openvswitch.org>
List-Help: <mailto:dev-request@openvswitch.org?subject=help>
List-Subscribe: <http://openvswitch.org/mailman/listinfo/dev>,
	<mailto:dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dev-bounces@openvswitch.org
Sender: "dev" <dev-bounces@openvswitch.org>

Changes to Debian packaging scripts to create the ovs user and group.
Fix the permissions of ovs created files and directories so that
they are accessible by users belong to the ovs group.
Start daemons as the ovs user.

Signed-off-by: Andy Zhou <azhou@nicira.com>

----
This patch does not include changes to the ipsec package. Ansis has
other plans for updating it.
---
 NEWS                                       |  3 ++-
 debian/automake.mk                         |  1 +
 debian/openvswitch-common.postinst         | 42 ++++++++++++++++++++++++++++++
 debian/openvswitch-pki.postinst            |  2 ++
 debian/openvswitch-switch.init             |  1 +
 debian/openvswitch-switch.logrotate        |  2 +-
 debian/openvswitch-switch.postinst         |  3 +++
 debian/openvswitch-testcontroller.init     |  3 ++-
 debian/openvswitch-testcontroller.postinst |  2 ++
 debian/openvswitch-vtep.init               |  8 +++++-
 10 files changed, 63 insertions(+), 4 deletions(-)
 create mode 100755 debian/openvswitch-common.postinst

diff --git a/NEWS b/NEWS
index cdf2815..8f0e5b6 100644
--- a/NEWS
+++ b/NEWS
@@ -23,7 +23,8 @@ Post-v2.4.0
    - Dropped support for GRE64 tunnel.
    - Mark --syslog-target argument as deprecated.  It will be removed in
      the next OVS release.
-   - Added --user option to all daemons
+   - Added --user option to all daemons.
+   - Debain package starts daemons as the 'ovs' user.
 
 
 v2.4.0 - 20 Aug 2015
diff --git a/debian/automake.mk b/debian/automake.mk
index c29a560..3092569 100644
--- a/debian/automake.mk
+++ b/debian/automake.mk
@@ -8,6 +8,7 @@ EXTRA_DIST += \
 	debian/dkms.conf.in \
 	debian/dirs \
 	debian/openvswitch-common.dirs \
+	debian/openvswitch-common.postinst \
 	debian/openvswitch-common.docs \
 	debian/openvswitch-common.install \
 	debian/openvswitch-common.manpages \
diff --git a/debian/openvswitch-common.postinst b/debian/openvswitch-common.postinst
new file mode 100755
index 0000000..c90ab5a
--- /dev/null
+++ b/debian/openvswitch-common.postinst
@@ -0,0 +1,42 @@
+#!/bin/sh
+# postinst script for openvswitch-switch
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <postinst> `abort-remove'
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+    configure)
+        LOGDIR=/var/log/openvswitch
+        # Create the ovs user and group.
+        adduser --system --group --no-create-home --quiet ovs || true
+
+        # Fix ownership and permissions.
+        chown -R ovs:ovs $LOGDIR
+        chmod -R 0770 $LOGDIR
+        ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+        ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+        ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/openvswitch-pki.postinst b/debian/openvswitch-pki.postinst
index f4705e9..030180d 100755
--- a/debian/openvswitch-pki.postinst
+++ b/debian/openvswitch-pki.postinst
@@ -31,6 +31,8 @@ case "$1" in
         if test ! -e /var/lib/openvswitch/pki; then
             ovs-pki init
         fi
+
+        chown ovs:ovs -R /var/lib/openvswitch/pki
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-switch.init b/debian/openvswitch-switch.init
index 8e156da..febf414 100755
--- a/debian/openvswitch-switch.init
+++ b/debian/openvswitch-switch.init
@@ -64,6 +64,7 @@ start () {
     if test X"$FORCE_COREFILES" != X; then
 	set "$@" --force-corefiles="$FORCE_COREFILES"
     fi
+    set "$@" --no-run-as-root
     set "$@" $OVS_CTL_OPTS
     "$@" || exit $?
     if [ "$2" = "start" ] && [ "$READ_INTERFACES" != "no" ]; then
diff --git a/debian/openvswitch-switch.logrotate b/debian/openvswitch-switch.logrotate
index a7a71bd..be929b6 100644
--- a/debian/openvswitch-switch.logrotate
+++ b/debian/openvswitch-switch.logrotate
@@ -1,7 +1,7 @@
 /var/log/openvswitch/*.log {
     daily
     compress
-    create 640 root adm
+    create 640 ovs ovs
     delaycompress
     missingok
     rotate 30
diff --git a/debian/openvswitch-switch.postinst b/debian/openvswitch-switch.postinst
index 2464572..9183bdc 100755
--- a/debian/openvswitch-switch.postinst
+++ b/debian/openvswitch-switch.postinst
@@ -33,6 +33,9 @@ case "$1" in
                 fi
             done
 	fi
+
+	# fix owner and permissions for /etc/openvswitch.
+	chown ovs:ovs -R /etc/openvswitch
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-testcontroller.init b/debian/openvswitch-testcontroller.init
index 67b7a99..352c95d 100755
--- a/debian/openvswitch-testcontroller.init
+++ b/debian/openvswitch-testcontroller.init
@@ -109,7 +109,7 @@ start_server() {
     fi
 
     if [ ! -d /var/run/openvswitch ]; then
-        install -d -m 755 -o root -g root /var/run/openvswitch
+        install -d -m 755 -o ovs -g ovs /var/run/openvswitch
     fi
 
     SSL_OPTS=
@@ -139,6 +139,7 @@ start_server() {
         if [ -z "$DAEMONUSER" ] ; then
             start-stop-daemon --start --pidfile $PIDFILE \
                         --exec $DAEMON -- --detach --pidfile=$PIDFILE \
+                        --user ovs:ovs \
                         $LISTEN $DAEMON_OPTS $SSL_OPTS
             errcode=$?
         else
diff --git a/debian/openvswitch-testcontroller.postinst b/debian/openvswitch-testcontroller.postinst
index 7242b4a..e8584e2 100755
--- a/debian/openvswitch-testcontroller.postinst
+++ b/debian/openvswitch-testcontroller.postinst
@@ -42,6 +42,8 @@ case "$1" in
             chmod go+r cert.pem req.pem
             umask $oldumask
         fi
+
+        chown ovs:ovs -R /etc/openvswitch-testcontroller
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-vtep.init b/debian/openvswitch-vtep.init
index ebf4e26..6fe02a1 100644
--- a/debian/openvswitch-vtep.init
+++ b/debian/openvswitch-vtep.init
@@ -10,6 +10,8 @@
 # Description:       Initializes the Open vSwitch VTEP emulator
 ### END INIT INFO
 
+OVS_USER=ovs
+OVS_GROUP=ovs
 
 # Include defaults if available
 default=/etc/default/openvswitch-vtep
@@ -40,17 +42,21 @@ start () {
         cd /etc/openvswitch && ovs-pki req ovsclient && ovs-pki self-sign ovsclient
     fi
 
+    chown -R "$OVS_USER":"$OVS_GROUP" /etc/openvswitch
+    chown -R "$OVS_USER":"$OVS_GROUP" /var/run/openvswitch
+
     ovsdb-server --pidfile --detach --log-file --remote \
         punix:/var/run/openvswitch/db.sock \
         --remote=db:hardware_vtep,Global,managers \
         --private-key=/etc/openvswitch/ovsclient-privkey.pem \
         --certificate=/etc/openvswitch/ovsclient-cert.pem \
         --bootstrap-ca-cert=/etc/openvswitch/vswitchd.cacert \
+        --user "$OVS_USER":"$OVS_GROUP" \
         /etc/openvswitch/conf.db /etc/openvswitch/vtep.db
 
     modprobe openvswitch
 
-    ovs-vswitchd --pidfile --detach --log-file \
+    ovs-vswitchd --pidfile --detach --log-file --user "$OVS_USER":"$OVS_GROUP" \
         unix:/var/run/openvswitch/db.sock
 }